-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Give apiserver full access to kubelet API #43265
Conversation
cc @kubernetes/sig-auth-pr-reviews |
@mikedanese @cjcullen PTAL |
Why does this follow? All verbs on proxy, sure, but why the others? |
- get | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- nodes/log | ||
- nodes/stats | ||
- nodes/metrics | ||
- nodes/spec |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't expect a role called "node-proxy" to have mutation rights to endpoints other than proxy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can rename the role if that helps... this thing's job is to proxy to the kubelet API... to do that, it needs full access to the kubelet API.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can rename the role if that helps... this thing's job is to proxy to the kubelet API... to do that, it needs full access to the kubelet API.
Ok, so its more akin to our system:node-admin
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, this is the role given to the credential the apiserver uses to reach the kubelet. some deployments use a superuser credential for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, this is the role given to the credential the apiserver uses to reach the kubelet. some deployments use a superuser credential for that.
Ok. I think a better name would help. It makes sense for the apiserver to be a nodeadmin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mikedanese @cjcullen do you know what the addon manager does with the old object if we rename these?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It'll delete the old one. No guarantees about 0 vs. 1 vs. both running.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Node-admin sounds to me like an ops role that would be provisioning/updating node objects...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
on second thought, I agree. I think the node-proxy name is ok with a comment. the nodes/proxy
resource is the most powerful one... the others were split out from nodes/proxy to allow granting those lesser permissions to specific users.
054706b
to
0381e62
Compare
0d8d2a7
to
54798e8
Compare
/lgtm |
@roberthbailey for approval |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, liggitt, roberthbailey
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
just realized the role for kube-proxy is |
54798e8
to
87a8c21
Compare
how about |
Still lgtm |
Automatic merge from submit-queue |
the kubelet stats API calls use both GET and POST. POST calls proxied through the API server were getting forbidden because only
get
was allowed.more broadly, the apiserver is responsible for proxying authorized API calls to the kubelet API... I think this means the apiserver should have access to all verbs on the kubelet subresources.
Fixes #42045